Agussetyar

**Name of the Vulnerable Software and Affected Versions** Vite versions prior to 2.9.16 Vite versions prior to 3.2.7 Vite versions prior to 4.0.5 Vite versions prior to 4.1.5 Vite versions prior to 4.2.3 Vite versions prior to 4.3.9 **Description** The issue involves a security risk in Vite where the server options can be bypassed using a double forward-slash (`//`). This allows any unauthenticated user to read files from the Vite root-path of the application, including the default `fs.deny` settings (`['.env','.env.*','*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network are affected, and only files in the immediate Vite project root folder could be exposed. **Recommendations** Update to Vite version 2.9.16 or later to fix the issue. Update to Vite version 3.2.7 or later to fix the issue. Update to Vite version 4.0.5 or later to fix the issue. Update to Vite version 4.1.5 or later to fix the issue. Update to Vite version 4.2.3 or later to fix the issue. Update to Vite version 4.3.9 or later to fix the issue. As a temporary workaround, consider reviewing and updating the server configuration options in your `vite.config.js` file to restrict access to unauthorized requests or directories. Restrict access to the Vite dev server by not exposing it to the network using `--host` or `server.host` config option.